Production change requires approved PR + tests
Demonstrate that production deployments consistently require approved pull requests with passing automated tests, and that no changes bypass this workflow.
Description
What this control does
This control ensures all code or configuration changes deployed to production environments must pass through a pull request (PR) approval process and automated testing before merge and deployment. The PR workflow requires peer review from authorized personnel, and automated tests (unit, integration, security, or regression) must execute successfully. This control prevents unauthorized, untested, or defective code from reaching production systems, reducing the risk of service outages, security vulnerabilities, and data corruption caused by inadequate change vetting.
Control objective
What auditing this proves
Demonstrate that production deployments consistently require approved pull requests with passing automated tests, and that no changes bypass this workflow.
Associated risks
Risks this control addresses
- Unauthorized developers merge malicious or backdoored code directly to production without oversight
- Defective code lacking test coverage causes production outages or data loss
- Security vulnerabilities introduced by unreviewed code changes are deployed to customer-facing systems
- Configuration errors bypass validation and misconfigure critical services or expose sensitive data
- Insider threat actors or compromised accounts push changes without accountability or audit trail
- Regression defects reintroduce previously resolved bugs due to insufficient automated testing
- Compliance violations occur when changes lack documented approval and traceability
Testing procedure
How an auditor verifies this control
- Obtain a list of all production repositories and deployment pipelines from version control and CI/CD systems (e.g., GitHub, GitLab, Azure DevOps, Jenkins).
- Review branch protection policies for production branches (main, master, production) to verify PR approval requirements, minimum reviewer counts, and test status checks are enforced.
- Export and examine CI/CD pipeline configurations to confirm automated tests (unit, integration, security scans) are mandatory gates before merge or deployment.
- Select a sample of 15-20 recent production deployments and retrieve corresponding pull request records, including PR metadata, approval timestamps, approver identities, and test results.
- Verify each sampled PR shows at least one approver distinct from the author, all required tests passed, and no override or emergency bypass was used without documented exception.
- Interview DevOps and engineering leads to confirm the process for emergency changes, identifying whether emergency procedures include post-deployment review and testing.
- Test branch protection enforcement by attempting to push directly to a production branch or merge a PR with failing tests using a non-privileged account, confirming the system blocks the action.
- Review access control logs for the past 90 days to identify any direct commits to production branches or policy modifications, investigating each instance for authorization and justification.
Where this control is tested